If proposed amendments to existing cybersecurity interpretive guidance become final, National Futures Association members may need to bring their cybersecurity policies up to date. Changes include a new notification requirement for cybersecurity incidents, inclusion of training topics in the cybersecurity policy, and clarification on who must approve cybersecurity policies.
On December 5, the National Futures Association (NFA) announced proposed amendments to its cybersecurity interpretive guidance (Interpretive Notice 9070, Information Systems Security Programs), adopted in 2015. If the proposal goes into effect without modifications, NFA member firms will have to update their Information Systems Security Programs (i.e., cybersecurity policies) and ensure that the appropriate person has approved such policy in writing.
Changes to Existing NFA Cybersecurity Interpretive Notice
The proposed amendments include three main changes:
A new notification requirement for cybersecurity incidents
The inclusion of training topics that an NFA member will include in its cybersecurity training, described within the NFA member’s cybersecurity policy
Clarification on who must approve the NFA member’s cybersecurity policy
NFA made some other changes, such as eliminating sources for guidance on cybersecurity topics, explaining that its cybersecurity FAQ webpage contains much of this information.
New Notification Requirement
The proposal includes a new NFA notification requirement:
The Member should have procedures to promptly notify NFA in the form and manner required of a cybersecurity incident related to the Member's commodity interest business and that results in: 1) any loss of customer or counterparty funds; 2) any loss of a Member's own capital; or 3) in the Member providing notice to customers or counterparties under state or federal law. In notifying NFA, the Member must provide a written summary of the incident with the relevant details. If the Member provides a notice to customers or counterparties, however, the Member may provide a copy of the notice to NFA in lieu of a written summary. If substantially identical notices regarding the same incident are provided to multiple parties (e.g. to all affected customers in a breach of personally identifiable information), the Member should only provide a copy of one particular notice as an example.
NFA advises that members should be familiar with notice requirements and encourages members to maintain contact information of applicable regulatory bodies so that it is available before an event occurs. In addition, NFA explains that a futures commission merchant or introducing broker that files a suspicious activity report (SAR) should not provide NFA with a copy of the SAR but, rather, should provide NFA with a summary of the relevant details of the cybersecurity event.
Inclusion of ‘Training Topics’ to Be Covered in Cybersecurity Training Within Cybersecurity Policy or Program
The proposal would require a cybersecurity policy to include training topics that will be covered in cybersecurity training. NFA continues to advise members to consider including training topics such as social engineering tactics and “other general threats posed for system compromise and data loss.” NFA also clarifies that training should be provided upon hiring an employee and annually (instead of periodically) thereafter.
Cybersecurity Policy or Program Approval
NFA’s existing guidance requires an NFA member to have its chief executive officer (CEO), chief technology officer (CTO), or other “executive level official” approve its cybersecurity policy in writing and retain a record of this approval. NFA has clarified its expectations in terms of who must approve the program. Under the proposal, a member must have its CEO, CTO, or chief information security officer or a “senior level officer with primary responsibility for information security or other senior official who is a listed principal and has the authority to supervise the Member’s execution of its ISSP” approve its cybersecurity policy in writing, and must retain a record of this approval.
Once the guidance is effective, NFA members should take the following steps to comply with the NFA guidance:
Update the member’s cybersecurity policy or other relevant procedural manual to include compliance policies and procedures in connection with the new NFA notification requirement.
Include the new NFA notification requirement as a step in the member’s incident response plan.
If needed, update the member’s cybersecurity policy to include training topics that will be covered in the member’s cybersecurity training programs. In addition, the cybersecurity policy should reflect that training will be provided upon hiring and on an annual basis.
Ensure that an appropriate person has approved the member’s cybersecurity policy in writing. If the person who has approved the policy does not fall within the scope of NFA’s clarification, then the member should seek the written approval of an individual who does meet the qualifications in the proposal.